Archive for the ‘phrack’ Category

At last, Phrack #68 is out! As usual, here is a quick personal view of each article of this issue…

Introductionby The Phrack Staff
It’s a nice introduction article, I like it. However, although this is not something directly connected to this article, I will write it here since it is about the new issue release. I have mentioned it on the previous issue too. I’m finding it very disgraceful seeing security conferences advertised on Phrack website just because some Phrack editor(s) are organizing or taking part on them (at least it is removed now).

Phrack Prophile on FXby The Phrack Staff
I personally know and respect FX so this was a pleasant to read Phrack prophile. I don’t have much to say here, well done Phrack Staff! :)

Phrack World Newsby TCLH
I personally really liked the way the news are presented in this article. It is written with a nice flow that connects the different news and makes perfect sense as a security world news overview.

Linenoiseby various
This is great news! Linenoise is back with some very good small articles. I guess I have a couple of friends that would highly appreciate the 0x07 one ;)

Loopbackby The Phrack Staff
A lot of things are said about the reactions of the Greek hacking scene article of the previous issue that I also didn’t find even close to reality (as I know it). Although I do not agree 100% with what this GHS email contains, it has some very accurate points, especially about the Greek Phrack submitters (Slasher, huku and argp) that all of them were, and some still are, owned and also exposed in the past (eg. Slasher). The rest of the Loopback was very fun to read.

Android platform based linux kernel rootkit by dong-hoon you
A nice article about a poorly documented subject. We all know that such rootkits are backdoring Androids in the wild for quite sometime and h0h0 has even made a presentation on it at DefCon in 2010, but it is always good to have some technical documentation to get started with. Thank you x82!

Happy Hackingby Anonymous
In the hard times we’re all living in it is nice to know what makes people happier. Very nice article.

Practical cracking of white-box implementationsby SysK
I’m not that much into crypto stuff so I found this article extremely informative. Congratulations to SysK for the excellent work.

Single Process Parasite: The quest for the stealth backdoorby Crossbower
Backdoors is an old love of mine. In some cases they’re even more interesting than exploits. Based on this article of Crossbower I guess that we will soon see more Linux based malware…

Pseudomonarchia jemallocum: The false kingdom of jemalloc, or on exploiting the jemalloc memory managerby argp and huku
About 2 years ago I played a lot with jemalloc for a Mozilla Firefox exploit but this does not even compare to the documentation that argp and huku did on this article. Excellent work. Congratulations to both argp and huku for this.

Infecting loadable kernel modules: kernel versions 2.6.x/3.0.xby styx^
Very cool idea and really nice implementation. Again this article combined with the Crossbower’s article can result in some advanced Linux malware.

The Art of Exploitation: Exploiting MS11-004 Microsoft IIS 7.5 remote heap buffer overflowby redpantz
“redpantz” did it again publishing an great exploitation article. As it is mentioned in the article, it is a great example that something that is initially considered a DoS even by experienced vulnerability researchers could in fact result in something much more serious.

The Art of Exploitation: Exploiting VLC A case study on jemalloc heap overflowsby huku and argp
This along with the previous jemalloc exploitation article are the currently best publicly available references for jemalloc exploitation. Once again, congratulations guys. Nice work.

Secure Function Evaluation vs. Deniability in OTR and similar protocolsby greg
As I mentioned above I’m not that much into cryptography so all these articles are very interesting and new to me.

Similarities for Fun & Profitby Pouik (Androguard Team) and G0rfi3ld
I’ll be honest with you. I didn’t read it. I stopped after a few minutes so I cannot comment on it. I will read it when I have a clear head.

Lines in the Sand: Which Side Are You On in the Hacker Class Warby Anonymous
Neat article of what’s going on in the hacking world. Not much to say about it. Nice reading.

Abusing Netlogon to steal an Active Directory’s secretsby p1ckp0ck3t
It’s been a while since we have seen such a high quality hacking article for Windows platform in Phrack. Definitely one of the best articles of this issue.

25 Years of SummerConby Shmeck
I like security/hacking gatherings, conferences, meetings, etc. but it is not good to see them advertised (even like this) on an e-zine such as Phrack. Anyway…

International Scenesby Various
So, the last article talks about Korea that I happen to have some friends and Greece that I happen to have a few more. I cannot comment or add anything regarding the Korea part of the article but since I’ve been more or less involved in the Greek security world I think I have the right to express my opinion.
Definitely a much better and complete article from the previous Phrack issue. However, it still misses (maybe intentionally) to reference currently active Greek hackers, members of well known foreign underground groups as well as some very skilled (I am personally aware of two) Greek hacking groups that are active for at least the last 10 years. Anyway, I don’t like to be mean. Overall it’s a good article.

So, today the 67th issue of Phrack was released. This a special day for Phrack since it’s the same date that the first issue was released on 1985, 25 years ago.
Before moving to the articles I want to say something that bothers me since the day I saw it. I think it’s completely inapropriate for such an ezine to indirectly advertise a security industryconference. Regardless of the technical level of the conference I’m finding it at least sad.
Anyway, let’s move to the articles which is the important part…

Introductionby The Phrack Staff
So… The first document after more than a year from the Phrack staff it starts with a nice intro that leads to a really obscure (for Phrack) result. After a message of Mike Schiffman/route/daemon9 regarding the 25th birthdary of Phrack, there is some inside joke against halfdead and next, the table of contents. Also, Phrack editors inform us that this is a release dedicated to userland exploitation.

Phrack Prophile on Punkby The Phrack Staff
That was a great profile of a l33t hacker. I’m not going to add anything more here. Just go read it.

Phrack World Newsby EL ZILCHO
World news of this issue deals with four subjects. The TJX Case where information of the people involved is provided and in addition there is a very interesting introduction to cases that involved various government agencies’ cooperation worldwide. The next subject is about the Stuxnet worm that got all that attention recently. Here, the author discusses the political hacking that this story (as well as some other cases such as the Aurora) involves and its possible explanation. Following, the last subject is the WikiLeaks one. This part discusses mostly the recent leak of Iraq war diaries from both points of view. It’s a nice reading. At last, there is a small paragraph for the scene events which is more of an conclusion section of the article.

Loopback (is back)by The Phrack Staff
First of all, I’m glad loopback section is back because it was always one of the funniest parts of each issue. Nothing to add here. You must read it.

How to make it in Prisonby TAp
That’s the first non-technical article that was published in this issue. It’s aim is to provide information that will help us if/when we find ourselves in a prison environment. It’s separated in small sections that makes it easier to follow and deals with all kind of stuff from the first day in prison to everyday life. Anyway, it’s a good read although it’s based on the American judicial system that might be different from country to country.

Kernel instrumentation using kprobesby ElfMaster
And now the first technical one… My first experience with kretprobes/jprobes was yesterday when I saw the title of that article before its release. I was already quite sure that you could use them in creating rootkits which would be fairly easy if you’ve ever coded even the simplest kretprobe/jprobe kernel module (I did yesterday :P).
Anyway, back to the article. Beginning with simple examples of both kretprobe and jprobe it moves to information regarding the kprobes implementation in the Linux kernel. Next, ElfMaster codes a file hiding kernel module using both techniques from the previously acquired knowledge. The following part is probably the most interesting since it deals with modifying read-only kernel segments. To do this he uses a classic technique of disabling the Write-Protection (using the 16th bit of CR0 register) that I personally first saw it on PaX’s native_pax_{open,close}_kernel() functions. At last, a rootkit against mprotect()/mmap() restrictions is provided and concepts such as detection are covered. It’s definitely one of the best articles in my opinion. Congrats dude! :)

ProFTPD with mod_sql pre-authentication, remote root heap overflowby FelineMenace
This is something that will piss off some people for sure. It’s full disclosure of a remote ProFTPd 0day. Since last year there was some rumor about a FelineMenace member disclosing a ProFTPd remote root on Phrack but that was only rumor. Anyway, the bug is an overflow at sql_prepare_where() that FelineMenace noticed when developers attempted to fix a different security issue. The write-up is awesome from exploit developer’s point of view and since it’s now public information, I highly recommend you to study it carefully. As I’ve said before “Art of Exploitation” was my favorite Phrack section but releasing a ProFTPd 0day? I strongly disagree…

The House Of Lore: Reloaded ptmalloc v2 & v3: Analysis & Corruptionby blackngel
Continuing from the previous journey to ProFTPd’s allocator we have blackngel‘s article on ptmalloc v2 and v3. In this article blackangel goes through ptmalloc‘s internals in order to achieve successful exploitation. The techniques described are the ‘SmallBin’ and ‘LargeBin’ corruption starting from simple examples that demonstrate the exploitation on modern operating systems and then moving to more complex ones. There is also an analysis of ptmalloc3 implementation which is mostly a comparison between the previously used ptmalloc2 from an exploit developer’s point of view. The last parts of the article deal with mitigation strategies. The author also provides some vulnerable code that could be used on wargames. Pretty cool article! :)

A Eulogy For Format Stringsby Captain Planet
As we all know format strings aren’t that common compared to few years ago. In this article Captain Planet (nice one…) reveals some techniques to bypass format string protections on modern systems. That is GNU C Library’s FORTIFY_SOURCE protection and uses Ronald Volgers’ CVE-2010-0393 to demonstrate his technique on a real world application. Definitely, a worth reading article.

Dynamic Program Analysis And Software Exploitationby BSDaemonBSDaemon published another article on this issue of Phrack. His article is about a project that is released along with it that can make exploitation easier. It’s a dynamic analysis application that aims on software exploitation. It’s name is VDT Project but since I haven’t read this article carefully and haven’t tested the code I won’t say anything more. It soulds like a great project though.

Exploiting Memory Corruptions in Fortran Programs Under Unix/VMSby Magma
First of all, I had (and still don’t) no idea that Fortran was used in banking software as the author states in the introduction of his article. I knew about COBOL applications, but Fortran?
Anyway, for the sake of knowledge I read this article too. So, after an introduction to the basics of Fortran we have our first contact with Fortran memory corruption bugs. He then discusses other bug classes including type casting vulnerabilities, signedness bugs, integer overflows/underflows, dangling pointers etc. Knowing this, the author introduces the reader the world of OpenVMS operating system. By doing this, you get to know OpenVMS specific behaviors as long as subjects like VMS heap memory allocator etc. and at last, exploitation of a heap based memory corruption vulnerability on OpenVMS platform. The last sections include mitigation strategies, summary and greetings.

Phrackerz: Two Talesby Antipeace & The Analog Kid
This is another non-technical article featured in #67 issue of Phrack. It’s a nice question/answer series of two persons, Antipeace & The Analog Kid that answer questions of hacker culture and the overall lifestyle from the hacker’s point of view.

Scraps of notes on remote stack overflow exploitationby pi3
This next article is written by pi3 and it’s one of my favorite from this issue. Specifically, in this article you can find some little details that can be used on remote exploitation of stack overflows. As the author says, nowadays remotely exploiting vulnerabilities has become harder because of the various protections that are implemented. Here, after describing in detail some neat tricks, he moves to a proof-of-concept code that demonstrates them. One of the highlights here is that his PoC works under grsecurity systems too. ;)

Notes Concerning the Security, Design and Administration of Siemens DCO-CS Digital Switching Systemsby The Philosopher
I can recall talking about this on 26c3 with some people but ‘The Philosopher’ did some excellent work here. Even though I don’t know much about such stuff I found that article very informative and as always, giving many useful information from a security perspective. Nevertheless, I won’t comment anything since I don’t have the required knowledge to do so.

Hacking the mind for fun and profitby lvxferis
This non-technical document written by lvxferis is about NLP that I believe almost all the people have experimented with some time. It’s just an overview of NLP but you’ll probably love the greetings section (especially the people who know what he’s saying about kcope) :P

International Scenesby various
Yeah baby! Let’s see what we have here…
The story begins with the Indian Hacking scene which was written by an anonymous null community member. Since I don’t know much about Indian hackers I’ll say nothing BUT… I cannot do the same for the second part of this article which has this title:
“An overview of the Greek computer underground, part 1”
and it’s written by (I can guess who you are): “two (not really) anonymous G(r)eeks”. Oh… my… Let the games begin…
– GRHACK
Since you say that there will be a second part I won’t comment that GRHACK is something new (I know, different people, different goals). Also, there are really few hackers, if any in this community. Most of them are either security professionals (aka whitehats) or individual researchers.
– 0x375
Never participated at one. I have no idea of how it’s related with the .gr scene and that’s why I will not comment this.
– AthCon
Seriously..? I mean for real!!? A security industry conference has to do with the hacking scene of Greece… Yeah, whatever.
– 2600
Unfortunately (or fortunately?), now 2600 is just a bunch of friends that meet once a month to have some beer and talk. I am one of those people and I can ensure you that it has nothing to do with hacking.
– Online forums
I have lots of stories about forum wars and stuff but I think the authors are correct although the technical level is not very high in most of these forums. Here there is also a reference to me and my blog but just to clarify. This is not my main involvement with the security and hacking scene of Greece and of course, this is not the nick I use anywhere else apart from wordpress.com
– Controversial groups
Heh… that lxplus.cern.ch defacement… It was one of the best stories ever. It’s purpose was just to piss some other Greek guys off :P
I have nothing to add about ‘Greek Hacking Scene’ group but an article regarding the historic ‘Greek Hackers Society’ group would be nice. At last, the H4F subject is not that simple but it’s also highly illegal to discuss anything about it.
– Demo scene
No comment
– Pentesting community
It’s true that most whitehats in Greece used to be part of the hacking scene.
– Open source related events
No comment… No wait! One word, ricudis.
– Academia
No comment
– Conclusion, what does the future hold
No comment
Now.. Something that is very true: “…Greek “scene” is small, obscure, full of ignorant and incompetent people…”. Since you’re not involved in the .gr scene (and I cannot say that I am (at least directly) either), you wouldn’t have probably noticed that there was absolutely no reference on the underground. It exists but maybe the authors didn’t know about it, I don’t know. There are underground hacking groups in Greece that are active (some of them with skilled hackers writing remote kernel exploits and knowing how to bypass most protections) and there are also Greek people in international groups as well. I will not say anything since it’s not my job. Maybe the people who submitted the article should have done the same. There are only very few people that could talk about this subject cause they know exactly what’s going on in the hacking scene (I’m not one of them). One of the authors used to be a hacker long long time ago.
I was always hoping for such a section in the “International Scenes” but always worried of the person that was going to write it. Anyway, I have nothing left to say.

As an overall it’s a pretty good issue with an awesome Phrack Prophile and some kick-ass articles like pi3’s and FelineMenace’s. Also, if you noticed, from this issue there are no more “The Circle of Lost Hackers” but instead, “The Circle of Found Hackers”. Just kidding. :P
As you saw the editorial team is now called “The Phrack Staff”.
Personally, I would like to thank everyone (except the anonymous G(r)eeks) starting from the Phrack editorial team, hackers, researchers, contributors etc. that helped to create this issue. Honestly, thank you people! :)

– Introduction
It was kind of sad regarding the underground quotes.
Personally, I like mayhem’s comment for the French contributors. heh
– Phrack Prophile on The PaX Team
Jesus! Pipacs on Phrack! I bet spender will be soooo sooo happy with this :P Admit it. the_uT’s one was more interesting.
– The Objective-C Runtime: Understanding and Abusing
Once again nemo did it. He explores and exploits Objective C in Mac OS X. Also, his asl_* abuse was pretty neat :)
– Developing a Trojaned Firmware for Juniper ScreenOS Platforms
This article by Graeme was great! It’s one of the very few articles dealing with backdoored image files in network devices. I really liked that!
– Yet another free() exploitation technique
Man… I am flattered! A brilliant Greek from GRHack wrote one of the
best articles of this issue. Thank you hk!
– Persistent BIOS InfectionCore Security shows us the way to BIOS infection. Even though this is not a new concept, they made some remarkable research in this article and it definitely deserves your time.
– Exploiting UMA : FreeBSD kernel heap exploits
Hehe! The popular Greek coder argp and the well known researcher Karl Janmar from signedness wrote an innovative paper about FreeBSD kernel heap exploitation. This is not anything new but they did excellent work in documenting it in great detail. This is clearly the ultimate FreeBSD kernel heap exploitation article I am aware of.
– Exploiting TCP and the Persist Timer Infinitenessithilgore and his crazy network stuff… I have to admit that when he told me about that design flaw I was unable to follow. This is an amazing article since it is theoretical, practical and innovative all in one :P Well done ithilgore! :)
– MALLOC DES-MALEFICARUM
The third article in this issue about heap exploitation was written by blackngel. This is another excellent work on heap exploitation which as the author states, its aim is to make practical examples of the classic Malloc Maleficarum. Something like what K-sPecial did this in .aware alpha release. They went far beyond this with this paper!
– A Real SMM Rootkit
This is written by Filip Wecherowski who makes at last, a real SMM rootkit. There has been a lot of hype about SMM rootkits since Phrack #65 article and Blackhat 2008 presentation. This article goes extensively through the details of such rootkits.
– Alphanumeric ARM shellcode
This is written by Yves Younan and Pieter Philippaerts. Forgive me for that but I don’t think this is compared to the rest of the articles of #66. It is still great resource for ARM internals and the undocumented alphanumeric shellcoding in RISC ARM processors. Nevertheless, shellcoding for exotic CPUs is not something really innovative. It is still an amazing article, this is just my opinion in comparison to the rest of the papers.
– Power cell buffer overflow
This article written by BSDaemon talks about CELL exploitation. As I said earlier, even though I love reading/studying such subjects from my geeky side, I found them impractical from my security side. Unless you’re planning to have some PS3 botnet…Anyhow, excellent analysis and great enhancement of the already known exploitation techniques for CELL.
– manual binary mangling with radare
A great new framework for reverse engineering written by pancake. I haven’t studied radare in detail yet but from this article, it seems beautiful.
– Linux Kernel Heap Tampering Detection
If you’re interested in Linux kernel heap exploitation or detection of tampering, this is just a great resource. It is written by Larry H. and explains all of the memory allocators used in Linux kernel in detail. Then it compares their limitations to OpenBSD and NetBSD implementations as well as the recent safe unlinking of Windows. Really cool article. It even deals with subverting SELinux and AppArmor.
– Developing Mac OSX kernel rootkits
Two Swedish guys, ghalen and wowie wrote about OS X rootkits. I don’t know much about OS X and I was surprised to see how easy it really is to code rootkits (in comparison to Linux). Thank you guys for this article :)
– How close are they of hacking your brain?
This is a completely different article written by dahut. It deals with concepts such as injecting content in our brains and similar subjects which I’m not really keen with. Still a really interesting article.

To conclude, in my opinion Phrack #66 is excellent even though it has some sort of “heap exploitation mania” :P Every single article is great. Congratulations to everyone involved to achieve this. On its downside, it didn’t include any “art of exploitation” article which I really liked and there was no “international scenes” article but I am aware of the problems you had to find one. Thank you all for this release :)